On ti, 22 marras 2022, Paulina Budzon via FreeIPA-users wrote:
Thanks for your help!
This is coming from an attempt to get a Kerberos service ticket using
credentials for the user you are using to enroll this machine. Since you
are passing '-w$password' and not any specific principal, this means it
is the machine itself, hence we see
I'm passing -phost-enrollment (host-enrollment is the user for the password in
-w), should I be adding something more?
'TGT has been revoked' error comes from your KDC on IPA master. Please check
/var/log/krb5kdc.log on IPA server you connected to for this deployment.
There should be one of explaining messages prior to rejection. It might
be prefixed with 'PAC issue:' string
There's nothing around this exact time, the only bits regarding a specific
failed host that I could find are:
krb5kdc[4526](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18),
aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26),
aes128-cts-hmac-sha1-96(17), a
es128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 172.22.2.123:
NEEDED_PREAUTH: host/[email protected] for
krbtgt/[email protected], Additional pre-authentication required
krb5kdc[4526](info): closing down fd 4
krb5kdc[4525](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18),
aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26),
aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19),
camellia128-cts-cmac(25)}) 172.22.2.123: ISSUE: authtime 1669105826, etypes
{rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18),
ses=aes256-cts-hmac-sha1-96(18)}, host/[email protected] for
krbtgt/[email protected]
(Different host in the logs above than before, but we had this issue again this
morning and it was easier to look up that older logs).
In terms of errors, the only one I could find in the logs was:
krb5kdc[27486](Error): PAC issue: ipadb_get_principal failed.
Can you please share with me the log lines around this one?
Also,
ipa user-show --all --raw host-enrollment
ipa trustconfig-show --all --raw
You can send them privately, if needed.
This was logged right before the whole set of instances got their errors.
I did also notice that the some of the same hostnames exist in older
Kerberos logs (hostnames will get repeated in our cloud env every now
and then), could this be the cause? A host with a previously used
hostname trying to enrol again? We have an automated process in place
that calls host-del to IPA when an instance is terminated to delete it
and its data from IPA, but maybe we should be clearing something from
Kerberos directly too?
If host is already enrolled, this would cause a problem to enroll unless
you pass --force to ipa-client-install. This is unrelated to the issues
you are seeing as you are getting the error in a different stage of the
installer.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
